Extending FreeIPA (Schema, CI, UI)
by Leo O
Hello,
running on the FreeIPA rocky-8-4.9.6 docker container.
I would like to extend FreeIPA with the postfix-book schema. I need it for a mail server. Unfortunately I can't find any documentation about that. Just some old presentation (FreeIPA 3.3 Training Series) + also some old, maybe still valid, example: https://github.com/abbra/freeipa-userstatus-plugin.
A documentation would be really good and helpful. Does anyone have some Notes, doesn't have to be a full polished documentation, some notes maybe some more examples for the current FreeIPA version?
Thanks
1 year, 10 months
Force early renewal of server certificate
by Ian Pilcher
It seems that Firefox has now started warning about certificates that
don't include a subject alternative name. (Honestly, I had no idea that
it wasn't already doing so; Chrome has been doing this for years.)
My EL7 FreeIPA server still uses a "sans SAN" certificate for its HTTPS
interface, so I would like to regenerate it.
1. Is it possible to use ipa-getcert to request an early renewal, or do
I have to delete/recreate it?
2. This is a fully updated CentOS 7 system, running the included
version of FreeIPA (ipa-server-4.6.8-5.el7.centos.10.x86_64). Will
it automatically include a SAN extension when it renews the server
certificate (or issues a new one), or do I need to modify a
certificate profile?
3. Related to the above, which profile should I use if I need to
issue a completely new certificate - caIPAserviceCert?
4. Are any other steps necessary? I.e., if I have to delete and re-
issue the certificate, do I need to update any other configuration
files or directory records to reference the new certificate?
Thanks!
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
1 year, 10 months
Re: Upgrading from EL7.9 to EL8
by Rob Crittenden
Angus Clarke via FreeIPA-users wrote:
> Hello
>
> I am planning the upgrade of one of our FreeIPA deployments from EL7.9
>
> Previously, we have been quite good at upgrading through OS point
> upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series
> of FreeIPA software.
>
> Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8
> FreeIPA which will receive the freeipa software from the Appstream
> repository. At time of writing, that process will see me introducing a
> replica running ipa-server 4.9.8 to my existing FreeIPA nodes running
> ipa-server 4.6.8
>
> Should I be concerned about more minor updates and find some way of
> upgrading through different ipa-server (and dependencies) releases from
> Appstream or do you think I should just run the procedure as described
> above?
Major version upgrades via adding a new machine is the recommended and
documented route. It includes retiring existing, older servers, so have
a plan for that.
Running mixed versions is likely fine in most cases but we don't
recommend doing it for very long and encourage a relatively fast
migration (weeks not months). Be sure to watch the replication topology
and maintain the service mix (e.g. at least 2 CAs), and at have one CA
designated as the renewal master, CRL master, etc. It's all in the docs.
rob
1 year, 10 months
ID Views change sudo rules for local user
by Alessandro Fort
Hi,
I have a local user (let's call it local) that has NOPASSWD set in
/etc/sudoers. When I apply an ID view to change my FreeIPA user's (let's
call it domain) username, UID, GID, shell and home to that of local,
whenever I try to use sudo after logging in with either domain or local,
domain's sudo rules apply and I am asked for a password. Is this
expected behaviour or a quirk of my configuration/policies? I would
expect that when logging in using domain, FreeIPA sudo rules are
applied, while if I log in using local I'd get the old /etc/sudoers
policy. Is this possible?
Thank you!
1 year, 10 months
kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump
by rui liang
> Oh, I see.Thank you for your guidance
>
> My system is Ubuntu16.04 Freeipa4.3, because the current CA cert has expired and there
> are
> problems, it is difficult to repair, so I want to rebuild the new environment to recover
> the user data on the old cluster, is there any good scheme recommended?Thank you very much
I tried the kdb5_util tool to import Kerberos data into the new IPA environment, but I got a message that the file was empty. What's the reason?
man kdb5_util
1.13.2 KDB5_UTIL(8)
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/kdb5_util...
root@migration-ipa-65:~# kdb5_util dump mydump
kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump
root@migration-ipa-65:~# kdb5_util dump -verbose mydump
admin(a)YYDEVOPS.COM
K/M(a)YYDEVOPS.COM
krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM
kadmin/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM
kadmin/admin(a)YYDEVOPS.COM
kadmin/changepw(a)YYDEVOPS.COM
kiprop/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM
ldap/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM
host/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM
HTTP/migration-ipa-65.185.hiido.host.yydevops.com(a)YYDEVOPS.COM
csantana(a)YYDEVOPS.COM
roy(a)YYDEVOPS.COM
kdb5_util: Plugin does not support the operation performing Kerberos version 5 release 1.11 dump
-old|-ov|-b6|-b7|-r13|-r18 I tried all the parameters, but it didn't work. Why?
1 year, 10 months
ipa migrate-ds later kerberos Generic preauthentication failure while getting initial credentials
by rui liang
I want to migrate the old freeipa LDAP server to a new Freeipa server. However, after using this migration scheme, I find that the old keytab file cannot be logged in. How do I set up the old keytab file to work properly?
https://www.freeipa.org/page/Howto/Migration
echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://migrated.freeipa.server.test
ssh new.migrated.freeipa.server.test
Use the old keytab file
root@migration-ipa-65:/home/liangrui# kinit -kt roy.keytab roy
kinit: Generic preauthentication failure while getting initial credentials
1 year, 10 months
Can the UPN searched for in a trust be modied?
by Ranbir
Hello Everyone,
I have a situation where users' UPN in AD for the domain that my ipa
domain has a trust with has been modified to look nothing like the
domain account. The user name and suffix entered in the UPN don't match
the AD account name or the trusted domain.
I've used ipa trust-mod to add two suffixes where one matches the AD
domain and the other matches what's entered in the UPN.
I've looked through the man pages for sssd-ad and sssd-ldap, but I
didn't immediately see an option that would allow me to modify what's
being searched for the user name in the UPN. I'm looking through the
man pages again. But, I figured I should ask here, too: is it possible
to also modify the "user name" portion of the UPN that's being looked
up for the trusted account?
--
Ranbir
1 year, 10 months
Re: ipa-server-certinstall -k
by Charles Hedrick
the error is
The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
________________________________
From: Charles Hedrick via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, June 15, 2022 3:39 PM
To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Charles Hedrick <hedrick(a)rutgers.edu>
Subject: [Freeipa-users] ipa-server-certinstall -k
ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work.
I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain).
The certs were issued by Internet2, which chains up to addtrust.
kinit -n works fine if I install the pem files manually, so presumably my files are valid.
1 year, 10 months
ipa-server-certinstall -k
by Charles Hedrick
ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work.
I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain).
The certs were issued by Internet2, which chains up to addtrust.
kinit -n works fine if I install the pem files manually, so presumably my files are valid.
1 year, 10 months
FreeIPA 4.9.10
by Antonio Torres
The FreeIPA team would like to announce FreeIPA 4.9.10 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.9.10
* 1539: [RFE] Add code to check password expiration on ldap bind
User can no longer do LDAP BIND operation with expired password.
* 8803: Add support for managing IdP references
FreeIPA can now authenticate users with the help of OAuth 2.0
identity providers supporting OAuth 2.0 Device Authorization Flow.
IdPs known to work are Keycloak, Microsoft Azure, Google, Github,
and Okta. Details on how to use Keycloak can be found in FreeIPA
workshop:
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support...
* 8977: subid: subid-match displays the DN of the owner, not its UID.
subid: subid-match now displays the UID of the range owner, not its
DN.
* 9128: Turn down debug from ipa-dnskeysyncd
ipa-dnskeysyncd and ipa-ods-exporter daemons used to log all debug
messages in the journal. The log level can now be configured by
setting debug=True in /etc/ipa/dns.conf. For more information refer
to default.conf(5).
* 9147: ipa-server-install --uninstall fails on Fedora 33, returned
non-zero exit status 2: Unable to disable feature: No such file or
directory
The uninstaller is now able to properly handle configurations
originally done with authconfig instead of authselect.
* 9150: Remove 'Remove' button from subid page
subid ranges cannot be removed. A button in Web UI subid management
page to remove the range was removed to not confuse users
* 9159: [RFE] ipa-client-install should provide option to enable subid:
sss in /etc/nsswitch.conf
IPA installers now provide the ability to configure SSSD as
datasource for subid
* 9171: Boolean value not mapped on WebUI checkbox
FreeIPA now properly exposes boolean LDAP values at IPA API Python
and JSON-RPC levels. External IPA API consumers might need to switch
from using "TRUE" and "FALSE" strings to True and False boolean
values.
* 9174: Update Suse support in freeipa
FreeIPA client installer should now configure openSUSE 15.3 to
Thumbleweed versions
=== Bug fixes
FreeIPA 4.9.10 is a stabilization release for the features delivered as
a part of 4.9 version series.
There are more than 20 bug-fixes since FreeIPA 4.9.9 release. Details of
the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on libera.chat.
== Resolved tickets
* https://pagure.io/freeipa/issue/1539[#1539]
(https://bugzilla.redhat.com/show_bug.cgi?id=782917[rhbz#782917]) [RFE]
Add code to check password expiration on ldap bind
* https://pagure.io/freeipa/issue/8582[#8582] Nightly test failure in
test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
- ClonesConnectivyAndDataCheck
* https://pagure.io/freeipa/issue/8803[#8803] Add support for managing
IdP references
* https://pagure.io/freeipa/issue/8804[#8804] Extend supported user
authentication methods in IPA to allow IdP auth
* https://pagure.io/freeipa/issue/8805[#8805] Extend `ipa-otpd` daemon
to recognize IdP references
* https://pagure.io/freeipa/issue/8977[#8977]
(https://bugzilla.redhat.com/show_bug.cgi?id=2000947[rhbz#2000947])
subid: subid-match displays the DN of the owner, not its UID.
* https://pagure.io/freeipa/issue/9121[#9121]
(https://bugzilla.redhat.com/show_bug.cgi?id=2056508[rhbz#2056508]) Ipa
server ignores max ticket lifetime when using spake preauth, issues
ticket with 24h lifetime
* https://pagure.io/freeipa/issue/9128[#9128]
(https://bugzilla.redhat.com/show_bug.cgi?id=2059396[rhbz#2059396]) Turn
down debug from ipa-dnskeysyncd
* https://pagure.io/freeipa/issue/9136[#9136]
(https://bugzilla.redhat.com/show_bug.cgi?id=1872467[rhbz#1872467]) Add
tests for ipa-healthcheck setting command-line options in configuration
* https://pagure.io/freeipa/issue/9140[#9140] Test
test_rekey_keytype_DSA should be disabled
* https://pagure.io/freeipa/issue/9145[#9145] Configure email subject
line for IPA EPN
* https://pagure.io/freeipa/issue/9146[#9146] Nightly test failure in
`test_epn.py::TestEPN::test_EPN_config_file`
* https://pagure.io/freeipa/issue/9147[#9147]
(https://bugzilla.redhat.com/show_bug.cgi?id=1958777[rhbz#1958777])
ipa-server-install --uninstall fails on Fedora 33, returned non-zero
exit status 2: Unable to disable feature: No such file or directory
* https://pagure.io/freeipa/issue/9148[#9148] documentation build fails
in readthedocs
* https://pagure.io/freeipa/issue/9150[#9150]
(https://bugzilla.redhat.com/show_bug.cgi?id=2063155[rhbz#2063155])
Remove 'Remove' button from subid page
* https://pagure.io/freeipa/issue/9151[#9151]
(https://bugzilla.redhat.com/show_bug.cgi?id=2012911[rhbz#2012911])
Disable DNSSEC in ipa-healthcheck tests
* https://pagure.io/freeipa/issue/9152[#9152] Regression in
TestIpaHealthCheckWithoutDNS
* https://pagure.io/freeipa/issue/9155[#9155] Depend on sssd-idp
directly to help RHEL BaseOS/AppStream repository split
* https://pagure.io/freeipa/issue/9157[#9157] implement support for bind
9.18+
* https://pagure.io/freeipa/issue/9159[#9159]
(https://bugzilla.redhat.com/show_bug.cgi?id=2068088[rhbz#2068088])
[RFE] ipa-client-install should provide option to enable subid: sss in
/etc/nsswitch.conf
* https://pagure.io/freeipa/issue/9162[#9162]
(https://bugzilla.redhat.com/show_bug.cgi?id=2004646[rhbz#2004646]) RFE:
Improve error message with more detail for ipa-replica-install command
* https://pagure.io/freeipa/issue/9165[#9165] Nightly test failure
(rawhide) in test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp
* https://pagure.io/freeipa/issue/9167[#9167] Nightly test failure in
test_graceperiod_not_replicated
* https://pagure.io/freeipa/issue/9171[#9171] Boolean value not mapped
on WebUI checkbox
* https://pagure.io/freeipa/issue/9173[#9173] Inconsistent ACI
before/after running ipa-server-upgrade
* https://pagure.io/freeipa/issue/9174[#9174] Update Suse support in
freeipa
* https://pagure.io/freeipa/issue/9175[#9175] ipatests: need to update
expected output for ipa-healthcheck's DogtagCertsConnectivityCheck
* https://pagure.io/freeipa/issue/9176[#9176]
(https://bugzilla.redhat.com/show_bug.cgi?id=2092015[rhbz#2092015])
secret in ipa-pki-proxy.conf is not changed if new requiredSecret value
is present in /etc/pki/pki-tomcat/server.xml
* https://pagure.io/freeipa/issue/9178[#9178] idviews: use cached
ipaOriginalUid value when resolving ID override anchor
* https://pagure.io/freeipa/issue/9180[#9180] Add new config option for
LDAP cache debugging
== Detailed changelog since 4.9.9
=== Armando Neto (2)
* ipatests: bump pr-ci templates
https://pagure.io/freeipa/c/f3255393188dbfb32f74150243b0e7f2c6ba4dc9[commit]
* workshop: Update docs and support default cloud image
https://pagure.io/freeipa/c/42afcc95be0292dd0dbdf955dbe0e8e3a683782e[commit]
=== Alexander Bokovoy (29)
* idviews: use cached ipaOriginalUid value when resolving ID override
anchor
https://pagure.io/freeipa/c/cfca49c469e822199cbdccd05d4c4a4cbf281448[commit]
https://pagure.io/freeipa/issue/9178[#9178]
* ipaldap: fix conversion from boolean OID to Python
https://pagure.io/freeipa/c/faeb656c77adf27a49ccaceb57fc1ba44e11cc1d[commit]
https://pagure.io/freeipa/issue/9171[#9171]
* ipa-kdb: avoid additional checks for a well-known anonymous principal
https://pagure.io/freeipa/c/6c6fc7db61d83e01a4913d22dfb178af43d30d8b[commit]
https://pagure.io/freeipa/issue/9165[#9165]
* Ignore dnssec-enable-related named-checkonf errors in test
https://pagure.io/freeipa/c/35c720cab0d91e730e94d95abfdd54d7882987d0[commit]
https://pagure.io/freeipa/issue/9157[#9157]
* Support dnssec utils from bind 9.17.2+
https://pagure.io/freeipa/c/1c6bdf97598984e74318061449f7906e487cd034[commit]
https://pagure.io/freeipa/issue/9157[#9157]
* ipa-kdb: apply per-indicator settings from inherited ticket policy
https://pagure.io/freeipa/c/a2baae42f8cff025521df19eed793f8184ce5974[commit]
https://pagure.io/freeipa/issue/9121[#9121]
* freeipa.spec.in: Depend on sssd-idp directly to help RHEL
BaseOS/AppStream repository split
https://pagure.io/freeipa/c/979163bff2e689c46ff67d6976f7927f0d81f9cd[commit]
https://pagure.io/freeipa/issue/9155[#9155]
* docs: tune RTD to display lists with disc and left margin
https://pagure.io/freeipa/c/40a257f1e682616c66c77c86be14437dbcad8a8c[commit]
* workshop: add chapter 12: External IdP support
https://pagure.io/freeipa/c/5f9e0d3ff3bd80b75bc9f5de97e7e086ba0a31e3[commit]
* freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism
https://pagure.io/freeipa/c/d49aa7103bacba60bae28f32bd76d9d35853626b[commit]
https://pagure.io/freeipa/issue/8805[#8805]
* doc/workshop: document use of pam_sss_gss PAM module
https://pagure.io/freeipa/c/d0eab8fe7609fea0b46ea863db1822eca1daac63[commit]
* External IdP: initial SELinux policy
https://pagure.io/freeipa/c/660c3dc2491fc2ee01031c1c59db6e0bb025bf93[commit]
* External IdP: add Web UI to manage IdP references
https://pagure.io/freeipa/c/51a4e42dd777661addd4f2fed1654ee978e8a4d7[commit]
* KDB: support external IdP configuration
https://pagure.io/freeipa/c/673478b1cf9950aed755a6a9ae8f81cb323932b3[commit]
https://pagure.io/freeipa/issue/8804[#8804]
* ipa-otpd: add support for SSSD OIDC helper
https://pagure.io/freeipa/c/bf8e2bb99f1c09ced820bd4bf6e9d7832db2caea[commit]
https://pagure.io/freeipa/issue/8805[#8805]
* external-idp: add XMLRPC tests for External IdP objects and idp
indicator
https://pagure.io/freeipa/c/b77015b7a3b627282560253cf2cd579c89f02923[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804]
* external-idp: add support to manage external IdP objects
https://pagure.io/freeipa/c/2136bd5d00f7aed5ae722ff8253c2b74ba444972[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804]
* external-idp: add LDAP schema, indices and other LDAP objects
https://pagure.io/freeipa/c/1df7b82ac188650775703dc95530017c969d0bff[commit]
https://pagure.io/freeipa/issue/8803[#8803]
* doc/designs: add External IdP support design documents
https://pagure.io/freeipa/c/8d81338cb94a2d850f53629ebba98a1f1ec90d1e[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804],
https://pagure.io/freeipa/issue/8805[#8805]
* js tests: use latest grunt
https://pagure.io/freeipa/c/ea0275f6113854feb02715265a5a85904023816d[commit]
* Azure CI: don't force non-existing OpenSSL configuration anymore
https://pagure.io/freeipa/c/c2434c4e52fa2121331ab358325345b308fbc3dd[commit]
* Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use
https://pagure.io/freeipa/c/137e62cc2faade831abc4b1955a0c0319f2d8a0f[commit]
* Switch Azure CI to Fedora 36 pre-release
https://pagure.io/freeipa/c/1e882144bb5c5661906eeaefa6ce6f511005bfb2[commit]
* web ui: do not provide Remove button in subid page
https://pagure.io/freeipa/c/59cf9017a009bb5eb4f6ef0ed07aa21e60614ab3[commit]
https://pagure.io/freeipa/issue/9150[#9150]
* docs: force sphinx version above 3.0 to avoid caching in RTD
https://pagure.io/freeipa/c/5ea1866f1bdea4e20894906e7dbdbde27f9715cd[commit]
* docs: update Sphinx requirements in ipasphinx package
https://pagure.io/freeipa/c/ffd8f14af2a1d2d1bce9011473449706902d884d[commit]
https://pagure.io/freeipa/issue/9148[#9148]
* docs: add the readthedocs configuration
https://pagure.io/freeipa/c/68c20846cf80eb2d46a05e0f8879ddfbd19fbbec[commit]
https://pagure.io/freeipa/issue/9148[#9148]
* docs: add plantuml and use virtual environment to generate docs
https://pagure.io/freeipa/c/7ddef72fbbf779da32660d54389d68a7c3b35a1a[commit]
https://pagure.io/freeipa/issue/9148[#9148]
* doc: migrate to m2r2 and newer sphinx, add plantuml to venv
https://pagure.io/freeipa/c/de918aea190401183da4742fc9d56101a13f1b17[commit]
https://pagure.io/freeipa/issue/9148[#9148]
=== Anuja More (2)
* pr-ci definitions: add external idp related jobs.
https://pagure.io/freeipa/c/b39f9336fa12e7f28ce0a5c51677983bc9b72621[commit]
* ipatests: Add integration tests for External IdP support
https://pagure.io/freeipa/c/b979dd91f149fd1f4fc1f48466a26f575eae0ae4[commit]
https://pagure.io/freeipa/issue/8803[#8803],
https://pagure.io/freeipa/issue/8804[#8804],
https://pagure.io/freeipa/issue/8805[#8805]
=== Antonio Torres (1)
* Back to git snapshots
https://pagure.io/freeipa/c/0cdbe00a72eeb8b1f18a37ca75fb16eea5b25119[commit]
=== Matthew Davis (1)
* Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
https://pagure.io/freeipa/c/70d23b225d11a6c8c16bd94faa8891100b83c1ac[commit]
https://pagure.io/freeipa/issue/9174[#9174]
=== Florence Blanc-Renaud (12)
* ACI: define "Read DNS entries from a zone" aci during install
https://pagure.io/freeipa/c/4b8b032ed5dd33662032e82ba4e296e7b0700c17[commit]
https://pagure.io/freeipa/issue/9173[#9173]
* ipatests: update expected output for boolean attribute
https://pagure.io/freeipa/c/c6bc8fd4c80d7ab9cd369ffce521d52c0eabe4cb[commit]
https://pagure.io/freeipa/issue/9171[#9171]
* ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean
https://pagure.io/freeipa/c/23d56bb95229756054df72de4d50fead8fc6116e[commit]
https://pagure.io/freeipa/issue/9171[#9171]
* ipatest: update expected out for ipa-healthcheck's
DogtagCertsConnectivityCheck
https://pagure.io/freeipa/c/6147f877a57dab33cccea08cc57fcb7b82d4a602[commit]
https://pagure.io/freeipa/issue/9175[#9175]
* ipatests: add new test with --subid installer option
https://pagure.io/freeipa/c/0193498f682eb3efa9cbdf82af215eaa854f466a[commit]
https://pagure.io/freeipa/issue/9159[#9159]
* man pages: document the --subid installer option
https://pagure.io/freeipa/c/e10f3385d0bbb4100a8220ce372dc2748f8b329e[commit]
https://pagure.io/freeipa/issue/9159[#9159]
* Installer: add --subid option to select the sssd profile with-subid
https://pagure.io/freeipa/c/74b2fd06d978d56137ccfde310f9c64187e0a5a3[commit]
https://pagure.io/freeipa/issue/9159[#9159]
* client uninstall: handle uninstall with authconfig
https://pagure.io/freeipa/c/d39e232e9ee28da5d4488135d264d2d1b9e671ba[commit]
https://pagure.io/freeipa/issue/9147[#9147]
* ipatests: --no-dnssec-validation requires --setup-dns
https://pagure.io/freeipa/c/7f814d9f54207a53c99155e542cc5b210707d0fd[commit]
https://pagure.io/freeipa/issue/9152[#9152]
* ipatests: remove test_rekey_keytype_DSA
https://pagure.io/freeipa/c/b3093d9c3990f8e899487087965f008607a519c6[commit]
https://pagure.io/freeipa/issue/9140[#9140]
* ipatests: update the expected sha256sum of epn.conf file
https://pagure.io/freeipa/c/5877c4e17a92c73aa68b8ba3c7a47555e32a13ca[commit]
https://pagure.io/freeipa/issue/9146[#9146]
* EPN: document missing option msg_subject
https://pagure.io/freeipa/c/d37d1f717ec725726d770ea73b4ab2e418c485e2[commit]
https://pagure.io/freeipa/issue/9145[#9145]
=== Francisco Trivino (3)
* Update subordinate design doc
https://pagure.io/freeipa/c/8abc0a22a8866e82776afbd7c3bc5e3195c43115[commit]
* Update ipa-replica-install replication agreement error message
https://pagure.io/freeipa/c/c03a8c3c06562c128aac6be506274995cea74948[commit]
https://pagure.io/freeipa/issue/9162[#9162]
* ipatests: Bump PR-CI latest templates to Fedora 36
https://pagure.io/freeipa/c/9ae6ef549fe51457a6f505f3c0ea6a7804e9bcd2[commit]
=== Matthew Davis (1)
* Suse compatibility fix
https://pagure.io/freeipa/c/fe048d83cb88593e490af8b95c12917071683b4c[commit]
https://pagure.io/freeipa/issue/9174[#9174]
=== Michal Polovka (4)
* ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki
version
https://pagure.io/freeipa/c/60739ce483e897cbd85575304dfb7562066189e4[commit]
https://pagure.io/freeipa/issue/8582[#8582]
* ipatests: tasks: add ipactl start, stop and restart
https://pagure.io/freeipa/c/58ddcffc412f7dd5cc762bd6f80faa07fcedf7ec[commit]
* ipatests: RFE: Improve ipa-replica-install error message
https://pagure.io/freeipa/c/352b9dfb49bdf1c70a8de9ed7287387417580c86[commit]
https://pagure.io/freeipa/issue/9162[#9162]
* ipatests: test_subids: test subid-match shows UID of the owner
https://pagure.io/freeipa/c/ab0e67d1f51c2db620de002d5f61425e0a65c9aa[commit]
https://pagure.io/freeipa/issue/8977[#8977]
=== Rob Crittenden (14)
* Add switch for LDAP cache debug output
https://pagure.io/freeipa/c/d062dc9da891cbb3b0ab04291d89afddf140c560[commit]
https://pagure.io/freeipa/issue/9180[#9180]
* Remove extraneous AJP secret from server.xml on upgrades
https://pagure.io/freeipa/c/deaaaaf1492410269c1f66f8d4bb57e41b99d87c[commit]
https://pagure.io/freeipa/issue/9176[#9176]
* graceperiod: ignore case when checking for missing objectclass
https://pagure.io/freeipa/c/e6cc41094b2bc526e9f8e87229e8f83a74cfc263[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* Set default LDAP password grace period to -1
https://pagure.io/freeipa/c/9b0fbdc37b92981d541a4152fdfeb0964692878f[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* doc: Design document for LDAP graceperiod
https://pagure.io/freeipa/c/d2b296454c57ab639b8e023050dabc193693c42f[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* Don't duplicate the LDAP gracelimit set in the previous test
https://pagure.io/freeipa/c/8b2edd5b4e13cb7a8b9b9eec4a0e194b4e6ca71b[commit]
https://pagure.io/freeipa/issue/9167[#9167]
* Configure and enable the graceperiod plugin on upgrades
https://pagure.io/freeipa/c/62bafcc53d4f45b28eb9a541e5385c2f1e7a3f97[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* dnssec daemons: read the dns context config file for debug state
https://pagure.io/freeipa/c/c00286462196026337600113119eb5522b96141a[commit]
https://pagure.io/freeipa/issue/9128[#9128]
* healthcheck: add tests for setting cli options in config file
https://pagure.io/freeipa/c/0e8350e0dd8219fd8245f57e0ebc9a096e9be84f[commit]
https://pagure.io/freeipa/issue/9136[#9136]
* Exclude passwordgraceusertime from replication
https://pagure.io/freeipa/c/87fe3fbba6d2b5bf2a7e9a0fca91c4e588641c9c[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* Remove the replicated attribute constants
https://pagure.io/freeipa/c/6b3ab98b90686bb41a901af6b1cf5da99b99a148[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* Implement LDAP bind grace period 389-ds plugin
https://pagure.io/freeipa/c/4fcbf2ded2563ff5151edee9384d793ad38f6dae[commit]
https://pagure.io/freeipa/issue/1539[#1539]
* If the password auth type is enabled also enable the hardened policy
https://pagure.io/freeipa/c/300f1301bbbe8a62183819f4350f47e3f182b7f1[commit]
https://pagure.io/freeipa/issue/9121[#9121]
* kdb: The jitter offset should always be positive
https://pagure.io/freeipa/c/ed1447ab612e5445a76e979fb059825bab84d1df[commit]
https://pagure.io/freeipa/issue/9121[#9121]
=== Sudhir Menon (2)
* ipatests: ipahealthcheck tests to check change in permission of
ipaserver log files
https://pagure.io/freeipa/c/3488276649861563471398b3747224ca54875861[commit]
* ipatests: Adding --no-dnssec-validation option for healthcheck
https://pagure.io/freeipa/c/f11b7b3bf50f7ccf4689b1b0f80894b0b1247983[commit]
https://pagure.io/freeipa/issue/9151[#9151]
=== Thorsten Scherf (2)
* workshop: add freeipa version requirements
https://pagure.io/freeipa/c/84c88b69fe250bbff32e2c9abcf1d118e883eb22[commit]
* workshop: add freeipa version requirements
https://pagure.io/freeipa/c/7e596fd16c5056815bce9e7ae15b58dd3fd25e7e[commit]
1 year, 10 months